This is in regards to: http://www.securityfocus.com/bid/53694 This is an uncoordinated release, the author did not make any attempt to notify us either by email or the public forum. The non-working exploit seems to have been copied and pasted with RIPS source code analyzer and the author didn't even bother tho test our understand the code. A real hacker can read source code, not run a RIPS source code analyzer and publish the finding without due diligence. This is the result: Try : alert('..config.inc.php could not be loaded'); 1) The "/" or %2F won't be accepted. $filename = preg_replace("/[^a-z._\d]/i", "", $_GET['js']); // sanitize, prevent path traversal 2) It will only read js.gz file (I see attempts to load /etc/passwd but that doesn't make sense - I don't think he knows/understand how to read source code) - readfile(SITE_PATH.'/js/'.$ filename.'.js.gz'); The bad chars will be stripped anyway ... 3) Test: http://gekkocms.babygekko.com/js/js_gzip.php?js=..%2Fconfig.inc.php http://gekkocms.babygekko.com/js/js_gzip.php?js=../config.inc.php The js_gzip.php was included as of v1.1.5a Also older versions on my website: http://www.babygekko.com/downloads/archives/gekko_web_builder_v1.1.4.zip http://www.babygekko.com/downloads/archives/gekko_web_builder_v1.1.5a.zip http://www.babygekko.com/downloads/archives/gekko_web_builder_v1.1.5a.zip http://www.babygekko.com/downloads/archives/gekko_web_builder_v1.1.5c.zip I am fine with people publishing vulnerabilities to make code more secure. What I'm unhappy is how some wannabe script kiddiot can just download source code analyzers/scanners and publish things WITHOUT any prior test and WITHOUT contacting vendors. I have had people publish their findings in my forum and I'm fine. But not when they don't at least test or contact me and then later turns out to be a false alarm. Here's a copy & paste from v1.1.5a (old version - the same) /js/js_gzip.php //++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++// // Baby Gekko content management system - Copyright (C) Baby Gekko. // This is a SHARED SOURCE, NOT OPEN SOURCE (GPL). // You may use this software commercially, but you are not allowed to create a fork or create a derivative of this software // Please read the license for details //++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++// include ('../config.inc.php'); error_reporting(0); $filename = preg_replace("/[^a-z._\d]/i", "", $_GET['js']); // sanitize, prevent path traversal $etag = sprintf('bbgk%u',crc32($filename)); header("Content-type: text/javascript; charset: UTF-8"); if(isset($_SERVER['HTTP_IF_MODIFIED_SINCE']) || isset($_SERVER['HTTP_IF_NONE_MATCH'])) { if ($_SERVER['HTTP_IF_MODIFIED_SINCE'] || str_replace('"', '', stripslashes($_SERVER['HTTP_IF_NONE_MATCH'])) == $etag) { header('HTTP/1.1 304 Not Modified'); exit(); } } else if (file_exists (SITE_PATH.'/js/'.$filename.'.js.gz')) { header("Vary: Accept-Encoding"); header("Cache-Control: public, max-age=".(144000 * 24)); header("Pragma: public"); header("Expires: Tue, 30 Aug 2037 20:00:00 GMT"); header("Content-Encoding: gzip"); header("ETag: \"{$etag}\""); readfile(SITE_PATH.'/js/'.$filename.'.js.gz'); } else { echo ("alert('{$filename} could not be loaded');"); } ?>
